Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes. Be sure to read the notes for a couple of important points.
# of Caveats: 0 view caveats→
# of Usage Notes: 4 view notes→

Relevant Product Characteristics

  • This product is designed specifically with mental/behavioral health professionals in mind.
  • The leadership or management behind this product includes at least one mental/behavioral health professional.

What Is This Product?

SimplePractice logo - a blue butterfly in flightSimplePractice is a full-featured, web-based practice management tool that offers scheduling, client reminders, payment, treatment plan collaboration, and intake form management, among other things. For a full review of SimplePractice’s features, see Tame Your Practice’s review of SimplePractice. –

Our Impressions

Very positive. Our technical and compliance-related questions were addressed quickly and thoroughly. We also experienced the company as being highly responsive to our questions and feedback. When you’re working with a company that maintains records for you, the kind of responsiveness that SimplePractice displays is important.

Based on the information gathered in our review, we have no hesitations in recommending SimplePractice as appropriate for your risk management needs.

NOTE: SimplePractice has gone through a number of updates since we last reviewed it in depth. Our compliance possible and recommended review outcome of “HIPAA compliance possible? Yes” outcomes are current. Our usage notes have not yet been updated to address the feature additions — so the usage notes are not exhaustive. (1/8/21)

This product offers a free service tier or a free trial account:

We encourage all clinicians interested in this product to try out the free trial or experiment with the free tier to see if it suits your needs.

If you discover anything of concern that isn’t addressed in this review yet, please tell Liath about it at [email protected].

This product has also been reviewed by:

  • Tame Your Practice: Rob Reinhardt of Tame Your Practice does highly-respected reviews of EHR products. While we review them primarily for risk management appropriateness, Rob reviews them for features and quality. Read Rob’s review of this product→


Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.



Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Avoid sending unsecured appointment reminders without proper collaborative risk analysis

SimplePractice offers appointment reminders by email, SMS text message, and automatic voice call.

SimplePractice wisely gives you the ability to have clients opt-in before sending them email or SMS text reminders. Remember, though, that when using conventional email or text messaging, you need to determine if simple opt-in is sufficient for your ethical and legal needs. Read our article on unsecured communications here for some guidance to help you decide what you need to do to around appointment reminders to stay legal and ethical in your practice. It is also covered in Engaging in HIPAA Security and Digital Confidentiality as a Mental Health Professional, Module 4: Using Email, Text, Phone, and Video in a HIPAA-Compliant Manner in detail.

If it turns out that unsecured email or text communications are legally-ethically workable for you, SimplePractice executes a Business Associate Agreement with you, which makes it legal for them to send those emails or texts on your behalf.

2) Be sure you are following simple security measures like using appropriate passwords and computer/device security

SimplePractice has fairly un-complex password requirements, so when setting a password be sure to exceed their suggested minimum complexity.

SimplePractice has a mobile app. This is very useful and convenient, and the app depends on you to keep your phone secure so that the app is secure, too. Our HIPAA Investigation Repellent course covers smartphone security in detail. Our video on how to use the security features of your smartphone is also quite helpful.

3) Lock your progress notes

If you have more than one clinician in your practice who has access to the same clients’ files, lock your client progress notes once you’ve completed them. While SimplePractice tracks some changes to notes, it couldn’t tell you, for example, that Clinician A updated Clinician B’s progress notes on Client Z. Note that only progress notes can be locked. Locking the note will help make sure it remains clear who created and edited the note.

Another way to mitigate the risk of another clinician overwriting or changing progress notes is to be cautious about giving any clinician besides the primary account holder “Administrator Access,” since an Administrator can read and change any non-locked notes.

4) Use your HIPAA-friendly email account to receive reports from SimplePractice

SimplePractice can send some useful reports to your email on a regular basis. While these emails are designed to significantly reduce the identifying information they contain, we recommend that you use your HIPAA-friendly email account (one with a Business Associate Agreement in place) to receive the emails. This may be a belt-and-suspenders approach, but it is very likely that if you are reading this review, then you already have an email account with a Business Associate Agreement. So we recommend you use that one to receive your reports from SimplePractice.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss